1

I am trying to control accesses to specific folder, so I have Audit Object Access policy enable and I've also enabled Auditing on the folder I want. Now I plan to see these accesses on a CSV file.

I have the following script that is supposed to achieve this

$OutputFileName = "EventsFrom-{0}.csv" -f (Get-Date -Format "MMddyyyy-HHmm")    
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4656} | Select-Object -Property TimeGenerated, MachineName, @{n='AccountName';e={$_.ReplacementStrings[1]}} | Export-CSV c:\scripts\$OutputFileName -NoTypeInformation

but the condition

Where-Object {$_.EventID -eq 4656}

causes the resulting CSV file to come out completely empty (even with no table headers). But when I change the Event ID (from 4656 to something like 4673) or remove the condition altoghether, I do get results on the resulting CSV. Also, from the event viewer when I filter the results with the ID 4656, results do show up. Right now I genuinely don't know what to do. Thanks in advance for any help.

I appreciate if anyone could help me track down the cause for this. I don't really have much experience with PS scripting so a detailed expanation as to why this is happening (or the actual solution for my problem) would be very helpful.

castigohd
  • 11
  • 2
  • 1
    This might be better asked on Super User or Server Fault as it's not an issue with your code. – Santiago Squarzon Feb 05 '22 at 15:02
  • "Audit Object Access" is a classic/2003-era audit category - if Advanced Auditing (>2008) is enabled on the system, your policy changes won't have any effect. You need to run `auditpol /set /subcategory:"File System" /success:enable /failure:enable` (or edit the advanced audit policy under Windows Settings -> Security Settings -> Advanced Auditing Policies in the relevant policy editor) – Mathias R. Jessen Feb 05 '22 at 15:34
  • thank you for all taking your time and replying to my question. – castigohd Feb 06 '22 at 19:23
  • @MathiasR.Jessen I ran the command you suggested on PS and it said it was ran successfully but, it didn't do anything. Next I did alternative way (as you mentioned inside the brackets): Windows Settings -> Security Settings -> Advanced Auditing Policies. From then System Audit Policies -> Object Access, double clicked on "Audit File System". On the new window I checked the "Configure the following audit events" and checked all 3 boxes (this one included). After that I closed everything and just like that everything started working as intended. One more time, thank you for the help! – castigohd Feb 06 '22 at 19:26

0 Answers0